ALTER MASTER KEY (Transact-SQL)
SQL Server 2005 Books Online (November 2008)
ALTER MASTER KEY (Transact-SQL)

Changes the properties of a database master key.

Topic link icon Transact-SQL Syntax Conventions

 Syntax 
ALTER MASTER KEY <alter_option>

<alter_option> ::=
    <regenerate_option> | <encryption_option>

<regenerate_option> ::=
    [ FORCE ] REGENERATE WITH ENCRYPTION BY PASSWORD = 'password'

<encryption_option> ::=
    ADD ENCRYPTION BY [ SERVICE MASTER KEY | PASSWORD = 'password' ]
    | 
    DROP ENCRYPTION BY [ SERVICE MASTER KEY | PASSWORD = 'password' ]
 Arguments
PASSWORD = 'password'

Specifies a password with which to encrypt or decrypt the database master key.

 Remarks

The REGENERATE option re-creates the database master key and all the keys it protects. The keys are first decrypted with the old master key, and then encrypted with the new master key. This resource-intensive operation should be scheduled during a period of low demand, unless the master key has been compromised.

When the FORCE option is used, key regeneration will continue even if the master key is unavailable or the server cannot decrypt all the encrypted private keys. If the master key cannot be opened, use the RESTORE MASTER KEY statement to restore the master key from a backup. Use the FORCE option only if the master key is irretrievable or if decryption fails. Information that is encrypted only by an irretrievable key will be lost.

The DROP ENCRYPTION BY SERVICE MASTER KEY option removes the encryption of the database master key by the service master key.

ADD ENCRYPTION BY SERVICE MASTER KEY causes a copy of the master key to be encrypted using the service master key and stored in both the current database and in master.

 Permissions

Requires CONTROL permission on the database. If the database master key has been encrypted with a password, knowledge of that password is also required.
 Examples

The following example creates a new database master key for AdventureWorks and reencrypts the keys below it in the encryption hierarchy. 

USE AdventureWorks;
ALTER MASTER KEY REGENERATE WITH ENCRYPTION BY PASSWORD = 'dsjdkflJ435907NnmM#sX003';
GO
 See Also

Reference

CREATE MASTER KEY (Transact-SQL)
OPEN MASTER KEY (Transact-SQL)
CLOSE MASTER KEY (Transact-SQL)
BACKUP MASTER KEY (Transact-SQL)
RESTORE MASTER KEY (Transact-SQL)
DROP MASTER KEY (Transact-SQL)
CREATE DATABASE (Transact-SQL)

Other Resources

Encryption Hierarchy
Detaching and Attaching Databases

Help and Information

Getting SQL Server 2005 Assistance
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Question      jhhhj   |   Edit   |   Show History
This is a question not a recommendation. Please verify before posting/applying it.

ALTER MASTER KEY DROP ENCRYPTION BY PASSWORD = 'original password';

throws the following error:

Msg 15558, Level 16, State 1, Line 1

Cannot drop encryption by password '********'.

Because a key can not be stored in a database without encryption. Adding encryption by SMK adds encryption to a master database not the original database, so that would not help dropping password encryption.

Why there is a provision in syntax for performing such operation?
Tags What's this?: Add a tag
Flag as ContentBug
Answer to above question      John Bailey   |   Edit   |   Show History

I thought I would answer this so no one gets confused. The drop encryption syntax is valid. ALTER MASTER KEY ADD ENCRYPTION BY PASSWORD can be called more than once and will add any number of passwords. Only the LAST password cannot be dropped. You can add a new password and then drop the original if you like.

Tags What's this?: Add a tag
Flag as ContentBug
Page view tracker